Take one agency who asked DHS to perform a "Red Team" exercise, it thought it had
2,000 to 3,000 computers on a specific network, but Homeland Security's team
stopped counting at 9,000. Rob Karas, the program manager of the risk evaluation
program, or Red Teaming initiative, at DHS, said until the agency understood its
network better it wasn't worth continuing.

"We worked with them and helped them identify why they had so many hosts on their
network and how they could architect and design it better," he said in an
interview with Federal News Radio. "We worked with them to remove hosts or close
off networks that shouldn't have been there."

Another agency had 500 public-facing Web servers, and through DHS' analysis, it is
reducing that number to about 100 and thus shrinking its attack surface.

These are but two examples of a growing list of how DHS Federal Network Security (FNS) branch is helping agencies
harden systems and networks.

"Ideally, our Red and Blue team services is designed to be a proactive engagement
with agencies to improve their posture," said Don Benack, the program manager for
DHS' cybersecurity assurance program within FNS. "We provide free specialized
access to skills and services that are not readily available or are in high demand
across the dot-gov to promote a healthy and resilient cyber infrastructure. That's
the goal to do risk-based analysis and gap analysis of capabilities and drive
improvements."

DHS taking different Red Team approach

Congress appropriated $35 million for the FNS branch, of which about $7.6 million
can be used for these red team analyses. In 2013, Congress so far has appropriated a little less for these Red Team efforts.

Typically Red Teams try to hack into a network to highlight its vulnerabilities.
But Benack said DHS is taking a different tact that gets to the heart of the
problem more quickly.

"The Red Teams rather than focusing on system compromise, focus on risk
evaluation, which allows us to optimize the process a little bit," he said.
"Instead of spending time breaking into the system and then using that as proof to
an agency that they have a problem, the idea is to identify threats and
vulnerabilities actively working against their agencies. What are the threat
vectors they have to worry about? What are the active actionable vulnerabilities
on their network? We then marry that together with an agency specific point of
view so they can address those risks first and foremost."

DHS FNS also provides Blue Teaming exercises, which have been going on for a few
years.

Benack said the Blue Teams look at how agencies are meeting the requirements under
the Trusted Internet Connections (TIC) initiative to consolidate public Web
gateways.

"Our Blue Teams take a proactive look at the capabilities in place. Do you have
the foundational elements to your program to defend against an attack, to respond
and recover from an attack, and hopefully prevent an attack up front?" he said.
"They also assess and validate agency implementation of technical controls, tools
and technologies-people, processes and program maturity."

DHS also is expanding the Blue Teaming efforts beyond TIC to ensure agencies'
cyber capabilities are aligned with requirements established by the Obama
administration's cross agency priority goal for cybersecurity and continuous monitoring efforts.

New service for agencies

The branch launched the Red Teaming exercise in late February after Congress
approved the fiscal 2012 budget. Over the last four months, DHS has conducted five
Red Team evaluations and has five more scheduled for the rest of the year.

Karas said the goal is to perform 26-to-30 Red Team engagements annually.

DHS also has done 28 Blue Team assessments with six more agencies on tap.

The Red Team exercises take about two weeks for the average agency. Karas said the
five-person team, which is usually made up of a federal manager and four
contractors, spends a week doing external analysis of the customer agency's system
and a week doing internal analysis.

"Right now, it's up to an agency's chief information security officer or chief
information officer to determine if they want or need Red Team services," Benack
said. "We work with them to determine the system or group of systems that are most
important to look at."